'puppet cert list' .. where is @ca initialized?

33 views
Skip to first unread message

Drew Fisher

unread,
May 7, 2014, 7:07:10 PM5/7/14
to puppe...@googlegroups.com
Good afternoon!

I'm trying to get RBAC working on Solaris 11.2 for Puppet 3.4.1.  Namely, I need to be able to list and sign waiting certificates as a non-root user (but with elevated RBAC permissions).  No matter what happens, I can not seem to get the @ca object that puppet/application/cert.rb uses to be generated from /etc/puppet.  It's always using my own home directory.  Tracing through the various classes and methods, I end up in 

[463, 468] in /usr/ruby/1.9/lib/ruby/vendor_ruby/1.9.1/puppet/ssl/certificate_authority.rb
   463    def waiting?
=> 464      Puppet::SSL::CertificateRequest.indirection.search("*").collect { |r| r.name }
   465    end

<....>

[99, 108] in /usr/ruby/1.9/lib/ruby/vendor_ruby/1.9.1/puppet/indirector/ssl_file.rb
   99    end
   100  
   101    # Search for more than one file.  At this point, it just returns
   102    # an instance for every file in the directory.
   103    def search(request)
=> 104      dir = collection_directory
   105      Dir.entries(dir).
   106        select  { |file| file =~ /\.pem$/ }.
   107        collect { |file| create_model(file.sub(/\.pem$/, ''), File.join(dir, file)) }.
   108        compact

(rdb:1) p collection_directory
"/home/dfisher/.puppet/ssl/ca/requests"

Where collection_directory is my home directory rather that the 'puppet' user's (/etc/puppet)

If anybody has any ideas on what's going on, I'd love to hear them.

Thanks!

Andy Parker

unread,
May 9, 2014, 2:55:08 PM5/9/14
to puppe...@googlegroups.com
On Wed, May 7, 2014 at 4:07 PM, Drew Fisher <drewfi...@gmail.com> wrote:
Good afternoon!

I'm trying to get RBAC working on Solaris 11.2 for Puppet 3.4.1.  Namely, I need to be able to list and sign waiting certificates as a non-root user (but with elevated RBAC permissions).  No matter what happens, I can not seem to get the @ca object that puppet/application/cert.rb uses to be generated from /etc/puppet.  It's always using my own home directory.  Tracing through the various classes and methods, I end up in 


Just to clarify what you are doing. You are running "puppet cert list" as a non-root user? This isn't some ruby code that you wrote to use the puppet code as a library.

If that is the case, then I think all that you are seeing is that when puppet is running as non-root it will use $HOME/.puppet as its confdir and $HOME/.puppet/var as the $vardir. When puppet runs as root it will use /etc/puppet and /var/lib/puppet. So one way of doing this is to specify "--confdir /etc/puppet --vardir /var/lib/puppet" on the command line. You may still hit file permission problems when it tries to read and write files, but I suppose you are taking care of that with the RBAC system on Solaris (I don't know the details of that system).
 
[463, 468] in /usr/ruby/1.9/lib/ruby/vendor_ruby/1.9.1/puppet/ssl/certificate_authority.rb
   463    def waiting?
=> 464      Puppet::SSL::CertificateRequest.indirection.search("*").collect { |r| r.name }
   465    end

<....>

[99, 108] in /usr/ruby/1.9/lib/ruby/vendor_ruby/1.9.1/puppet/indirector/ssl_file.rb
   99    end
   100  
   101    # Search for more than one file.  At this point, it just returns
   102    # an instance for every file in the directory.
   103    def search(request)
=> 104      dir = collection_directory
   105      Dir.entries(dir).
   106        select  { |file| file =~ /\.pem$/ }.
   107        collect { |file| create_model(file.sub(/\.pem$/, ''), File.join(dir, file)) }.
   108        compact

(rdb:1) p collection_directory
"/home/dfisher/.puppet/ssl/ca/requests"

Where collection_directory is my home directory rather that the 'puppet' user's (/etc/puppet)

If anybody has any ideas on what's going on, I'd love to hear them.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/276c8b73-eff2-4679-9914-3a805b403bf6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Andrew Parker
Freenode: zaphod42
Twitter: @aparker42
Software Developer

Join us at PuppetConf 2014September 22-24 in San Francisco
Register by May 30th to take advantage of the Early Adopter discount save $349!
Reply all
Reply to author
Forward
0 new messages